Wifi Penetration Testing

From the release of the first 802.11 wireless networking protocol in 1997, WiFi networks have grown in popularity to become the ubiquitous connectivity solution for many users worldwide, with 800 million new devices being manufactured every year. Early WiFi networks soon proved to be highly insecure, facilitating the cracking of access keys within a matter of hours or even minutes. Later implementations have stood the test of time and today the ability to configure a secure WiFi environment is within the grasp of any organisation.

As with many encryption technologies, however, the default configuration is often not secure, and can introduce technical vulnerabilities that sometimes are not widely documented.

Sec-Tec’s WiFi security assessments provide a cost-effective way to measure the security of your WiFi network(s) against best practice, and make real-world recommendations for identified issues.

What we test for

The following is a general overview of the type of common WiFi vulnerabilities that we test for during a penetration test, and should not be considered exhaustive. Details of the initial scoping and reporting stages can be found on our penetration testing page.

Unencrypted WiFi misconfiguration

Many organisations provide an unencrypted “guest” WiFi network for BYOD and corporate guest Internet access. While the majority of these types of network are considered low risk by their very nature, they can introduce a number of potential attack vectors:

If host isolation has not been adequately implemented, then network sniffing and man-in-the-middle attacks can often be trivially implemented.

Endpoints themselves can potentially be attacked from another connected device.

Legacy encryption

While flaws in older encryption technologies such as WEP (Wire Equivalency Protocol) are well understood, some legacy hardware devices such as barcode scanners do not support newer, more secure alternatives. This can necessitate the use of legacy encryption protocols, sometimes with additional compensatory controls masking the issue. These compensatory controls, such as MAC address filtering, can often be trivially bypassed by changing the attacker’s device to match the MAC address of an authorised device.

Weak encryption keys

Encryption is only as effective as the encryption key used. It is often assumed that newer WPA/WPA2 PSK (Pre-shared Key) encryption algorithms are immune from attack. This is simply not the case. Without any knowledge of the encryption key, tools such as aircrack-ng can force legitimate WiFi clients to deauthenticate and reconnect to the network. By capturing the four-way reconnection handshake, a dictionary attack can be attempted, rendering weak and predictable encryption keys retrievable.

Evil twin attacks

Evil twin attacks involve introducing a malicious access point advertising a legitimate network name in order to fool devices into connecting to it. Once connected, a number of potential attacks can be attempted:

If the device is utilising WPA/2 Enterprise but not validating AP certificates, then the RADIUS authentication attempt can be captured and certain cryptographic attacks attempted.

Users can be presented with a fake web portal in an attempt to obtain their domain credentials or other authentication tokens. Fake SharePoint or OWA login pages are particularly effective in this type of attack.

Insecure EAP types

WPA/2 Enterprise networks have another important configuration decision to make that simpler PSK networks do not: which EAP type(s) to support. EAP (Extensible Authentication Protocol) is an authentication framework in which different authentication schemes can be supported. The selection of secure EAP types is fundamental to a secure WPA/2 Enterprise network. Flawed EAP types, such as LEAP (Lightweight Extensible Authentication Protocol) can render a network vulnerable to trivial cryptographic attack.

WiFi protected setup (WPS)vulnerabilities

WiFi protected setup (WPS) is a mechanism to simplify the adding of new devices to an existing WiFi network. Various different modes of WPS exist, some involve pressing a button on the WiFi access point, others require the entry of a PIN number. WPS implementations that require a PIN number are often vulnerable to a trivial brute-force attack, which can allow anyone access to the WPA PSK within a timeframe of approximately 24 hours using tools such as Reaver. WPS support is commonly found in SOHO grade solutions, but is not typically available in enterprise infrastructure.

In summary

Wireless connectivity introduces certain intrinsic risks that do not impact wired networks. For example, a WiFi network can be jammed with RF interference in order to perform a Denial of Service attack. This vulnerability is not one that can be readily mitigated using off-the-shelf solutions, and renders WiFi connectivity unsuitable for truly mission-critical environments. However, its convenience for casual and roaming access makes WiFi connectivity massively desirable. As with most things cryptographic, the WiFi default configuration often needs hardening to provide sufficient safeguard against attack. WiFi penetration testing is one way to identify gaps within your existing networks and implement corrective actions to mitigate those risks. This is generally a straightforward process which can be particularly cost-effective when combined with existing internal penetration test efforts.